WingNews logo WingNews
top | item 33299121

(no title)

saddlerustle | 3 years ago

> What I find intriguing is that E2EE was significantly more common long ago than it is today.

This is absurd. Today a large fraction of the world's population is using E2EE via WhatsApp.

discuss

order

LinuxBender|3 years ago

Today a large fraction of the world's population is using E2EE via WhatsApp.

That is good example of the problem I am describing. People are using E2EE created, deployed and maintained by WhatsApp in WhatsApp. That is a problem. The E2EE in WhatsApp is not truly E2EE if it is maintained by the very people providing the service in my unwavering opinion. True E2EE is entirely outside of the service transport that messages are traversing meaning that FB could not possibly intercept the messages even if their livelihood depended on it. Today people have to just trust that FB are not targeting people with custom intercept code or code that otherwise preclude E2EE for specific messages or recipients. That is what I call a pinky promise sometimes also referred to as a Pinky Swear [1].

I follow the logic of, people will do what people can do. If the application can be monkeyed with, it will be. Message encryption must be entirely outside of the purview of the application. Even OTR was somewhat at risk of interception. That is why I would have expected that by today this would have been a solved problem and highly evolved.

[1] - https://en.wikipedia.org/wiki/Pinky_swear

georgyo|3 years ago

There are a few reasons why I think it has to be at the app itself.

In order to be actually secure, all conversions must be encrypted, without exception.

OTR is one channel method of encrypting text, but it isn't the only method. For example using PGP over text messages is also a plugin for pidgin. Competing standards means your ven diagram of people and chat protocols now gets an entire new axis of encrption method.

Metadata is data. Without seeing the message content, it is still valuable to see who is talking to who and when.

There are always tradeoffs. While OTR may be more verifiable secure, it's difficultly hiders adoption. A balance has to be reached with ease of use and security. If it is easy to get it wrong then people will have a false sense of security. That is strictly worse than no actual security.

matheusmoreira|3 years ago

And yet WhatsApp does have end-to-end encryption and everyone in my country is using it. Not perfect but it's demonstrably an improvement over everything else that came before. Courts were unable to compel WhatsApp to reveal messages.